by Willy Leichter
Director, Product & Solutions Marketing
Axway
I want to be the voice of the realist here, because there’s a lot of hype around DLP, yet DLP implementation projects have often failed because it can be such a complex, daunting undertaking.
Many organizations put limits on the size of the files their employees can transmit, but they don’t tell the employee what to do if they need to send something larger. This leads to a lot of well-intentioned employees coming up with ways to send large files and get their jobs done.
As numerous bleeding-edge companies pilot DLP projects, they find it can be an enormous challenge. When you consider all the possible ways information can leak, most organizations resemble Swiss cheese. How do you plug up all those holes?
That question leads to a couple dilemmas. One, if you lock things down well, then you shut down business, an effect worse than the problem you’re trying to solve. Two, the business-unit owner is supposed to own the information, but since IT is usually running the DLP products, they’re put in the position of being the bad guys who force the business-unit owner to confront issues that they do not want to confront.
To keep this from being too overwhelming, I recommend a couple of basic starting points that will maximize your DLP effectiveness while minimizing your frustrations.
First, instead of trying to boil the ocean, look for things that have become established best practices and the information that is most critical for your organization to protect. This doesn’t include all possible things that might need protecting, just really top-of-the-list information. And often, that’s regulated information. Healthcare data is obvious. But, PCI compliance, credit card numbers, social security numbers—those are the things that, more and more, you need to be concerned about. In a vast orchard of data, this is low hanging fruit!
Second, protect the obvious egress point: email. There are pretty straightforward steps that almost all organizations should be taking to prevent well-intentioned employees from sending sensitive information—often by accident—into the clear, specifically credit card, social security, and healthcare numbers. This is relatively easy and it addresses the most common way people accidentally send information.
Third, think of DLP in the broader case. Trying to thwart someone intent on stealing is much more challenging than preventing mistakes. Focus first on preventing well-intentioned employees from making stupid mistakes, like accidentally copying files that can cause liability, or setting up rogue FTP servers.
Many organizations put limits on the size of the files their employees can transmit, but they don’t tell the employee what to do if they need to send something larger. This leads to a lot of well-intentioned employees coming up with ways to send large files and get their jobs done. A lot of serious incidents have happened this way—employees copying CDs and DVDs, employees sending things over Yahoo accounts to their own computers, employees sending discs via snail mail. IT must not ignore the “What do we do if we don’t allow them to use email to send big files?” question. IT must provide mechanisms that allow employees to reliably send large files rather than just block those files and say no.
It’s important that you raise awareness within the organization that you’re taking steps regarding these issues. If you’re filtering stuff, you should raise alerts and make people aware why you’re taking these steps. Nine times out of ten, once you start content filtering, the incident rate drops dramatically, because employees don’t want an alert and they don’t want to be flagged by IT. They want to comply. These practices tend to train the group better than actual training. And what better proof of an initiative’s success than consciousness being so fundamentally raised that, after a time, the ongoing need for the initiative becomes largely moot?
September 23, 2009
Categories: Data Leak Prevention, Information Technology, Managed File Transfer, Security . Tags: Compliance, cybersecurity, Data Leak Prevention, data security, dlp, e-mail, file transfer protocol, Managed File Transfer, PCI . Author: axway . Comments: Leave a comment